There is steady growth in services that utilize information regarding personal purchasing histories and current position information to deliver content to users who match given parameters. Such services encompass the information providing services referred to as targeted advertising, for example.
On the other hand, conducting such services involves handling personal information in order to identify the range of information to provide. For this reason, it is important to protect user privacy so that individuals are not identified as a result of using the service.
In order to provide services that make use of personal information while also protecting the privacy of the persons receiving the service, a structure may be used wherein instead of having the service provider both manage and utilize personal information, a personal information administrator separate from the service provider manages personal information and intermediates between the service provider and the users. By using such a structure, it becomes possible to provide services based on personal information, without passing on personal information to the service provider.
However, problems such as the following still exist in the case of a model that separates the personal information administrator from the service provider.
Consider an example of a model wherein the service provider specifies user attribute criteria, receives user information matching the criteria from the personal information administrator, and provides services to those users. In this case, even if the received information does not include personal information, at least the attribute information specified in the criteria is passed to the service provider.
Consider an example of another model wherein the service provider specifies user attribute criteria, passes content access information to the personal information administrator. The personal information administrator then provides a delivery trigger for the content to users matching the specified attribute criteria, and the users access the content with respect to the service provider. In this case, personal information in and of itself is not passed to the service provider. However, when specifying criteria with respect to the content, if the attribute criteria are specified so as to reduce the number of users matching those criteria to an extremely small number, then when users acquire the content, the accessing users will be known to match those attributes. In other words, if content is provided by specifying fine-grained attribute criteria with few potential matches, then user anonymity might not be sufficiently protected.
Given the above problems, technologies have been established that make it difficult to identify users by delivering content to at least a certain number of users. For example, Japanese Laid-open Patent Publication No. 2007-219636 discloses a method for disclosing data to users on the basis of user presence as recorded by a camera. In this method, when a user information administrator receives a personal information acquisition request (more specifically, a request to search users recorded at a particular time of witnessing) from a service provider that discloses data, and if the number of users who match the time of witnessing is not at least a certain number, then the time of witnessing is change to a time frame of witnessing, and information for at least a certain number of users found by search is provided to the service provider.
Additionally, Japanese Laid-open Patent Publication No. 2005-031966 discloses a method for receiving presence information provided by an information provider, and providing presence information with abstracted attribute values in response to requests from users. In this method, if the number of users to be provided does not satisfy a certain number, then the level of abstraction with respect to the position information of the users using the service is raised, users matching the criteria are acquired, and presence information is provided.
In the technology disclosed in Japanese Laid-open Patent Publication No. 2007-219636, consider the example of a personal information acquisition request issued with “3:30 PM” set as the time of witnessing. In this case, if there is only one matching user, the anonymity of that user cannot be guaranteed. However, if the granularity of the attribute value is changed to “3:01˜6:00 PM” and the number of matching users is increased to 10, for example, then user information may be provided to a service provider while protecting user anonymity.
However, since the criteria (e.g., the time of witnessing) are changed in the technology disclosed in Japanese Laid-open Patent Publication No. 2007-219636, user information found using past information is provided in cases where other additional criteria (position information) are specified. As a result, the service provider acquires information that differs from the user information for the time when the service was provided. More specifically, if criteria are set such that the time of witnessing is 3:30 PM and the location is X, there will exist users in the provided user information who had already left location X prior to the time of witnessing 3:30 PM.
Furthermore, even with the technology disclosed in Japanese Laid-open Patent Publication No. 2005-031966, the range of position information set as the criteria is extended by raising the abstraction level. For this reason, the many of the users matching the extended criteria will have little relation to the information to be provided.
Consequently, when methods similar to the related art discussed above are used and the range of criteria specifying target users is over-extended, information will be provided even to users who have no need of the information.
Up until now, a process has not been realized for extending the range of user-specifying criteria so as to satisfy a certain minimum number of users for preserving user anonymity, while also determining a suitable range such that the range does not become overly broad.